Check that Gemnasium vulnerability database is a superset of ruby-advisory-db (bundler-audit)
Proposal
As part of the ongoing effort to reduce maintenance of ~"Category:Dependency Scanning" and increase the velocity of groupcomposition analysis, we need to investigate to see whether Gemnasium along with its vulnerability database is now a superset of ruby-advisory-db, and whether the bundler-audit Secure analyzer can be abandoned in favor of Gemnasium.
The outcome of this issue are notes about what is lacking, or instead the confirmation that Gemnasium DB is already a superset of ruby-advisory-db, and that it will remain that way.
Notes about what's possibly lacking are to be turned into issues, with same parent epic and same labels.
Check list
-
compare schemas, and document gaps -
compare security advisories, and document gaps -
assess risk of missing new advisories, and recommend actions to mitigate these risks
Gaps in schema can be ignored if the corresponding fields are not leveraged in the Security Report schema.
Results
What is missing in the Gemnasium DB?
- gaps in advisory schema: none
- gaps in security advisories: 44 from 433
- risk of missing new advisories, and recommended actions to mitigate this risk:
- integrate synchronization job that monitors https://github.com/rubysec/ruby-advisory-db
- we cannot cope with advisories related to standard libraries/compilers/interpreters yet
TODO: if anything is missing, then turn these notes into issues with the same parent epic and the same labels
🤖
Auto-Summary Discoto Usage
Points
Discussion points are declared by headings, list items, and single lines that start with the text (case-insensitive)
point:
. For example, the following are all valid points:
#### POINT: This is a point
* point: This is a point
+ Point: This is a point
- pOINT: This is a point
point: This is a **point**
Note that any markdown used in the point text will also be propagated into the topic summaries.
Outcomes
Outcomes define the decisions or resolutions of a discussion. Once outcomes are defined, sub-topics and points are collapsed underneath the outcomes.
Outcomes are declared in a similar manner as points:
#### OUTCOME: This is an outcome
* outcome: This is an outcome
+ Outcome: This is an outcome
- oUTCOME: This is an outcome
outcome: This is an outcome
Note that multiple outcomes may be declared for each topic.
Topics
Topics can be stand-alone and contained within an issuable (epic, issue, MR), or can be inline.
Inline topics are defined by creating a new thread (discussion) where the first line of the first comment is a heading that starts with (case-insensitive)
topic:
. For example, the following are all valid topics:
# Topic: Inline discussion topic 1
## TOPIC: **{+A Green, bolded topic+}**
### tOpIc: Another topic
Quick Actions
Action Description /discuss sub-topic TITLE
Create an issue for a sub-topic. Does not work in epics /discuss link ISSUABLE-LINK
Link an issuable as a child of this discussion Discussion-Size Indicators
The relative size of the discussion occurring within a topic and its sub-topics is indicated via braille dots.
More dots means that more points or sub-topics exist within a given topic.
Examples:
- TOPIC
⣿⣿⡆
A large discussion occurred here- TOPIC
⣇
A smaller discussion occurred here
Last updated by this job
TOPIC
⡀
TOPIC
⡀
TOPIC
⡇
⢰
Assess risk of missing new advisories, and recommend actions to mitigate these risks #288322 (comment 692761260)-
✅ Majority of advisories are public domain (433/521). #288322 (comment 692761260) -
❌ OSVDB cannot be directly copied because of the license. #288322 (comment 692761260) -
❌ I did not count the advisories related to the ruby interpreter versions that are used because this functionality is not supported yet. #288322 (comment 692761260)
-
Discoto Settings
---
summary:
max_items: -1
sort_by: created
sort_direction: ascending
See the settings schema for details.